How a 13-Word Edit Shapes AI Research Recommendations

A single short phrase on a public forum can now steer what an AI research agent recommends. Researchers at Cornell Tech have demonstrated that deep-research AI agents are vulnerable to manipulation through minor edits on user-generated pages. A lone Reddit-style comment, for example, can be transformed into a cited recommendation for counterfeit products, nonexistent services, or fabricated entities.

The research paper defines these tampered pages as “poisoned” because the inserted content is engineered to dictate what the AI system cites and repeats. The weakness lies in systems that browse the web, collect sources, and produce cited reports. The team named this exploit WARP, an acronym for Web Agent Retrieval Poisoning.

The attack does not require breaching the AI model, its prompts, the search engine, or the retrieval system. Instead, an attacker simply edits or adds text to a page the agent is likely to retrieve, such as a Reddit thread, Wikipedia entry, or forum post. When the agent searches related topics later, it may pull in that page, cite it, and propagate the attacker’s chosen message.

Deep-research tools frequently execute numerous related searches for a single user query, and the study found that the same user-generated pages appeared across different searches for the same topic.

Reddit emerged as the primary vulnerability. Across the open-source systems STORM, Co-STORM, and OmniThink, between 17% and 23% of all retrieved URLs came from user-generated platforms like Reddit, YouTube, Facebook, and Wikipedia. Of those, Reddit alone accounted for 54% to 71% of the user-generated URLs retrieved.

The researchers did not modify live websites. They used a simulation framework called GeoStorm to inject manipulated text into retrieved content during testing.

The attack succeeded with remarkably brief snippets, often as short as 13 words. In one experiment, a 15-word sentence promoted a fake cryptocurrency, BananaCoin, as an “emerging” long-term investment option in a Co-STORM report. The report cited the altered source alongside legitimate cryptocurrency references.

When the manipulated page was retrieved, the fake entity appeared in 38% to 51% of reports across the systems. Targeting multiple pages increased that range to 42% to 62%.

The attack remained effective even when systems retrieved full Reddit threads, though mention rates were lower. When injected text was added to complete Reddit threads and made up less than 4% of the retrieved content, the fake entity still appeared in 30% to 53% of reports when that page was retrieved.

Defenses proved inadequate. Blocking user-generated domains stopped the attack but also removed valuable sources like firsthand product reviews and local recommendations. Text filters tested could not reliably distinguish injected passages from normal user content. Because the manipulated passages were generated by an AI model, they were fluent, causing perplexity-based filters to flag typical user content more often than the injected text.

Report-level checks also failed. Altered reports appeared similar to clean ones because the agent integrated the fake recommendation into an otherwise normal answer.

Why this matters to marketers and SEO professionals. A small edit on a public page can now influence cited AI answers. Misinformation planted on sites like Reddit or forums can move from discussion threads to credible-looking AI recommendations. If an AI agent cannot find your brand, potential customers may not find it either.

About the research. The paper, titled Deep-Research Agents Can Be Poisoned via User-Generated Content, was authored by Tingwei Zhang, Harold Triedman, and Vitaly Shmatikov of Cornell Tech and posted to arXiv on May 22. The team tested the full attack on three open-source systems: STORM, Co-STORM, and OmniThink. They analyzed OpenAI Deep Research and Gemini Deep Research for user-generated citations but did not run live manipulation tests, as that would require publishing altered content to the open web.